chore: update Windows build to use PCRE2 as default

[fzipi]

what

• Windows/IIS build modernization: Updated to PCRE2, Visual C++ 2019 redistributables, and modern dependencies
• Installer refactoring: Replaced deprecated merge modules with redistributable package checks and launch conditions
• Build scripts: Fixed PCRE2 directory paths, updated dependency versions (CMake 4.2.3, PCRE2 10.47, Apache 2.4.66, zlib 1.3.1, libxml2 2.15.1, Lua 5.4.8, cURL 8.18.0,
  ssdeep 2.14.1)
• Configuration updates: Synced modsecurity.conf with recommended settings (fixed regex anchors, added JSON depth limit, deprecated SecStatusEngine)
• Documentation: Expanded Windows build guides with prerequisites, troubleshooting, and VC++ 2019 requirements
• Removed obsolete files: Deleted VC110/VC120 merge modules (VS2012/2013)
• CI enhancement: Enabled PCRE JIT in Windows workflow

why

• PCRE deprecation: PCRE is no longer maintained; PCRE2 provides better performance, JIT support, and (might) fix stack overflow issues
• Microsoft recommendation: Redistributable packages allow Windows Update to patch security vulnerabilities automatically, unlike deprecated merge modules
• Stability: Addresses reported pcre.dll stack overflow crashes (Stack overflow in pcre.dll #3436)
• Modern toolchain: VS2019/2022 support with up-to-date dependencies for better compatibility and security
• Maintainability: Smaller MSI installers, clearer error messages with download links, reduced deployment complexity
• Consistency: Aligned all documentation with current versions and corrected path inconsistencies

references

• partially addresses Stack overflow in pcre.dll #3436

[Copilot]

Pull request overview

Updates the Windows/IIS build tooling and documentation to prefer PCRE2 (and newer dependency versions), aligning with PCRE deprecation and addressing stability concerns like the reported pcre.dll stack overflow.

Changes:

• Bump Windows dependency versions (CMake, PCRE2, zlib, libxml2, Lua, cURL, Apache, ssdeep) and update download URLs.
• Switch Windows build/release scripts and NMake linkage from pcre.dll/pcre.lib to pcre2-8.dll/pcre2-8.lib, enabling PCRE JIT flags in NMake builds.
• Refresh README_WINDOWS.md build instructions to reference PCRE2 and newer dependency versions; CI attempts to enable PCRE JIT.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
iis/download_files.bat	Updates dependency versions and download URLs (including PCRE2).
iis/dependencies/build_pcre.bat	Switches dependency build from PCRE to PCRE2 and copies PCRE2 artifacts.
iis/build_release.bat	Packages pcre2-8.dll into release artifacts instead of pcre.dll.
iis/build_dependencies.bat	Updates dependency version variables used by the batch build pipeline.
iis/Makefile.win	Links against pcre2-8.lib and defines WITH_PCRE_JIT.
README_WINDOWS.md	Updates Windows build documentation to use PCRE2 and newer dependency versions.
.github/workflows/test-ci-windows.yml	Adds -DWITH_PCRE_JIT=ON to the IIS CMake configure step.

Comments suppressed due to low confidence (2)

README_WINDOWS.md:57

• The updated doc switches the Apache install dir to C:\Apache2466, but the example still references Apache/httpd 2.4.27 (httpd-2.4.27 and HTTPD_BUILD=C:\work\httpd-2.4.27). This is inconsistent and will mislead users following the updated instructions; update these example paths/versions to match the new Apache 2.4.66 guidance.

The directory where you build software from source ( ``C:\work`` in this exmaple)
must contain the Apache source you used to build the Apache web serverand the mod_security source

    Apache source is in             C:\work\httpd-2.4.27    in this example.
    Apache has been installed to    C:\Apache2466           in this example.
    Mod_security source is in       C:\work\mod_security    in this example.

## Download and untar the prerequisite library sources:

    Download pcre2-10.47.zip from https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/
    unzip it into C:\work\  creating C:\work\pcre2-10.47

    Download libxml2-2.15.1.tar.gz from https://download.gnome.org/sources/libxml2/2.15/
    untar it into C:\work\ creating C:\work\libxml2-2.15.1

    Download lua-5.4.8.tar.gz from http://www.lua.org/ftp/
    untar it into C:\work\ creating C:\work\lua-5.4.8

    Download curl-8.18.0.zip from https://curl.se/download/
    unzip it into C:\work\ creating C:\work\curl-8.18.0

    Download zlib-1.3.1.tar.gz from https://github.com/madler/zlib/releases/download/v1.3.1/
    untar it into C:\work\ creating C:\work\zlib-1.3.1

## Setup your build environment:

1. The ``PATH`` environment variable must include the Visual Studio variables as set by ``vsvars32.bat``

2. The ``PATH`` environment variable must also include the CMAKE ``bin\`` directory

3. Set an environment variable to the Apache source code directory:

SET HTTPD_BUILD=C:\work\httpd-2.4.27

README_WINDOWS.md:204

• The mlogc configuration examples still reference Apache2427 paths (e.g., CollectorRoot and SecAuditLog |C:/Apache2427/...) even though the PR updates the guide to Apache2466. These should be updated for consistency, otherwise users will end up with incorrect paths in their configs.

    CollectorRoot       "C:/Apache2427/logs"
    ConsoleURI          "https://localhost:8888/rpc/auditLogReceiver"
    SensorUsername      "test"
    SensorPassword      "testtest"
    LogStorageDir       "data"
    TransactionLog      "mlogc-transaction.log"
    QueuePath           "mlogc-queue.log"
    ErrorLog            "mlogc-error.log"
    LockFile            "mlogc.lck"
    KeepEntries         0
    ErrorLogLevel       2
    MaxConnections      10
    MaxWorkerRequests   1000
    TransactionDelay    50
    StartupDelay        5000
    CheckpointInterval  15
    ServerErrorTimeout  60

Change the SecAuditLog directive in ``conf\httpd.conf`` to pipe the log data to mlogc instead of writing them to a file:

    SecAuditLog |C:/Apache2427/bin/mlogc.bat

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 20 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[fzipi]

@copilot open a new pull request to apply changes based on the open comments in this thread

[fzipi]

Documentation on Windows should be updated also on the wiki, if this one gets merged (follow up).

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

iis/wix/list_dependencies.bat:83

• Several writes to the log file and the final explorer invocation use %log_file% without quotes (e.g., echo. >> %log_file%, >> %log_file%, explorer %log_file%). Since %TEMP% commonly contains spaces (user profile paths), these commands can break or write to the wrong file. Quote %log_file% consistently everywhere it’s used for redirection or as a command argument.

echo. >> %log_file%

REM Updated paths to include Visual Studio 2019 and 2022
set POSSIBLE_PATHS_X86="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\dumpbin.exe"
set POSSIBLE_PATHS_X64="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\x86_amd64\dumpbin.exe"

for %%i in (%POSSIBLE_PATHS_X86%) do (
	echo Checking for dumpbin x86... %%i
	echo Checking for dumpbin x86... %%i >> %log_file% 
	if exist %%i (

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud